The Breaking of the AR Hash Function

The AR hash function has been proposed by Algorithmic Research Ltd and is currently being used in practice in the German banking world. AR hash is based on DES and a variant of the CBC mode. It produces a 128 bit hash value. In this paper, we present two attacks on AR hash. The rst one constructs in one DES encryption two messages with the same hash value. The second one nds, given an arbitrary message M, an M 0 6 = M with the same hash value as M. The attack is split into two parts, the rst part needs about 2 33 DES encryptions and succeeds with probability 63%, the second part needs at most about 2 66 DES encryptions and succeeds with probability about 99% of the possible choices of keys in AR. Moreover, the 2 33 respectively 2 66 encryptions are necessary only in a one-time preprocessing phase, i.e. having done one of the attacks once with success, a new message can be attacked at the cost of no encryptions at all. Since the hash value is 128 bits long, the times for the attacks should be compared to 2 64 , resp. 2 128 DES encryptions for brute force attacks. For the particular keys chosen in AR hash we implemented the rst part of the second attack. In 2 33 encryptions we found two messages that breaks AR hash. The AR hash function has been proposed by Algorithmic Research Ltd., it has been distributed in the ISO community 1] for informational purposes, but has not been considered a standard. It is currently in use in the German banking world. In the following, DES k (y) will denote the DES-encryption of block y using key k. The basic structure in AR-hash can be described as a variant of DES in CBC-mode, where the last 2 ciphertext blocks are added to the current input, and where the state consists of the last two "ciphertext" blocks computed. To do the entire function, the message is processed with two keys, yielding a result of 2 times 128 bits. This is then further compressed to get a result of 128 bits. To deene AR more precisely, we rst divide the message m to be hashed into 8-byte blocks, denoted by m 1 ; m 2 ; :::; m n (0-padding is used on the last block if it is incomplete).